The ICO exists to empower you through information.

A joint blog from Stephen Almond, ICO’s Executive Director for Regulatory Risk and Will Hayter, CMA’s Senior Director in the Digital Markets Unit.

Target audience is web designers and developers as well as organisations commissioning websites.

Have you ever considered the power you hold over people who visit your website? The website design practices you put in place can make their user journeys as smooth as silk, making it easier to find exactly what they’re looking for and encourage them to come back – but the darker side of that power is when it is used to pressurise and confuse.

In our position paper published today, we’re jointly calling for all organisations, web designers and developers to stop using harmful design practices that could undermine people’s control over their personal information and lead to worse consumer and competition outcomes.

Using language that suggests there’s a right or wrong decision on privacy policies. Making certain options easier to find to distort users’ choices. Presenting choices to steer users to pick a particular option. These are just some of the ways that your web design practices could be breaching data protection law and raising concerns from a consumer and competition law perspective.

One clear example of often harmful design are cookie consent banners. A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.  

Why does this matter? A person’s online life doesn’t start or end with their visit to your website. A choice they made on a cookies policy weeks ago could still be affecting the adverts they see and content they’re exposed to today. This can have a very real impact on their wellbeing. For example, someone recovering from a gambling problem being steered to ‘accept all’ cookies could mean they are being continually bombarded with betting adverts.

Our ICO-CMA joint position paper, Harmful design in digital markets: How online choice architecture practices can undermine consumer choice and control over personal information, sets out the pitfalls of harmful design and gives advice on what you should be doing instead.

The paper builds on joint work between CMA and ICO focusing on the interactions between competition and data protection. It also draws on the CMA’s existing work on online choice architecture, showing how broader online design choices can affect how users share their data.  Ensuring that people can make effective, informed decisions is good both for competition and for privacy.

Used responsibly, online choices can be designed to empower users to make effective and informed choices about the way their personal information is used in digital markets, building customer trust. To do this, you need to be:

  • Putting the user at the heart of design choices. Build your online interfaces around your customer’s interests and preferences.
  • Using design that empowers user choice and control. Help users to make effective and informed choices about their personal information and put them in control of how it is used.
  • Testing and trialling design choices. Use design that has been tested and trialled, to ensure your design choices are evidence based.
  • Complying with data protection, consumer and competition law. Consider the implications of these laws in your design practices.

If we don’t see improvements, the ICO will be taking enforcement action to protect people's data protection rights, particularly where design practices lead to risks or harms for people at risk of vulnerability. The CMA has been clear that this is a priority area and will continue to tackle problems caused by harmful design through its consumer and competition enforcement powers.

Together, through our work under the Digital Regulation Cooperation Forum, we will continue to collaborate to tackle harmful design practices, so that digital markets are serving consumers’ interests.

If you’re interested in discussing harmful design practices and the alternatives available, we’ll be holding a stakeholder workshop in the autumn about good practices for the design of privacy choices online. We encourage UX designers, information architects, firms and any other stakeholders invested in choice design to register their interest by email here: [email protected].